Virtual affairs of state: How cyberthreats increasingly intertwine with politics

Before recently, there was a wide perception that cyber-attacks affect only high-level officials, banks, governments or rich celebrities. After last year’s elections in the US though, a real ‘trickle down’ effect of cyberthreats on ‘ordinary’ citizens has become part of the global agenda. Cyberthreats have lately been used not only to steal and spy but more often to misinform, expose and damage democratic processes as a whole. They have become not only more accessible but also ever more political.

Give me a price

For the past several years cyberthreats have become more sophisticated and widespread. Hacking is now a service and almost a commodity. Depending on their type and sophistication, cyber-attacks have varying price tags per hour, which drop every year due to a growing demand for these activities worldwide. Therefore, more and more private entities participate in interstate cyberwarfare, making the link to governments ever more difficult to prove.

The most affordable item on the cyber shelves are DDoS attacks (distributed denial of service), which often involve infecting a multitude of ordinary citizens’ computers in order to orchestrate a simultaneous attack on the servers of key democratic institutions (often of their own countries), to disrupt the operations.

These have increasingly targeted political parties, news agencies and election monitoring organisations. Therefore, one can remotely argue that getting one’s laptop infected (even unwittingly) can undermine the democratic process of one’s own country to a certain extent.

Given the minimal resources required to launch a DDoS attack, a technology giant like Google has already promoted the Protect Your Election initiative, which offers DDoS protection free of charge to smaller entities such as human rights and election monitoring websites on the eve of the upcoming French and German elections.

On the hook

Regrettably, ordinary citizens continue to get their computers easily infected by clicking on spam links such as those circulating during the US election offering tips to get as rich as Mr. Trump. But even for the more initiated members of society, a targeted and disguised malicious attack ostensibly coming from a friend or colleague, known as ‘spear phishing’, remains a serious concern.

A very tailored (yet mediocre) spear phishing attack was used to hack a high-level body such as the US Democratic National Committee (DNC). But a report by ENISA[1], a EU cyber security agency, shows that this method is increasingly used to attack smaller entities, because they have less resources for cyber protection and staff training. Google is offering its help with these types of attacks as well. But more effort from the public sector would definitely be welcome.

Spreading #fakenews

When Oxford English dictionary included ‘post-truth’ as the new word of 2016 it got wide attention. But few however associate this new buzzword with other obscure and geeky-sounding cyber threats such as botnets.

In the times when voters’ decisions are increasingly influenced through social media, botnets have a major impact on the wider issue of disinformation. These are malicious software (malware) used by hackers to infect computers and spread fake stories through fictitious accounts on social media such as Twitter. Hence, not every cyber ‘troll’ on social media has a real person behind it. One single botnet can facilitate the proliferation of fake accounts sometimes amounting to hundreds of thousands.

Politics are no longer influenced through “rent-a-crowd and bogus leaflets”, as one Obama administration official once put it[2]. In the past year, ‘alternative facts’ already had their fair share in destabilizing two Atlantic democracies and these were spread not without the help of botnets.

Media outlet such as Le Monde have, for example, already made concrete steps in tackling fake news by aligning with social media platforms like Facebook. This cooperation allows them to act as ‘certified’ fact checkers by signalling dubious stories that spread on the social network.[3] While this effort is plausible, without addressing the issue of proliferation of these stories through botnets, alerting each story individually can seem a quixotic effort.

“Eternal vigilance is the price of liberty”

Fighting cybercrime will continue to be a prerogative of computer experts, given the technical nature of the issue. However, what policy makers could do is to take as an example the initiatives of private entities such as Google by allocating special budgets for cybersecurity systems to key electoral entities, especially the smaller ones. Mandatory firewalls and cloud-based DDoS mitigation tools as well as free of charge basic cyber training for electoral staff could substantially diminish the number of phishing and DDoS attacks.

When it comes to fighting disinformation, various measures have already been taken on the highest levels in Europe and beyond. The EU set up the East Stratcom Task Force to fight propaganda on an official level. But even this pan-European initiative is said to be underfunded at the moment.

News publishers do already cooperate with cyber experts to identify botnets and fake accounts, but this continues to be very difficult at this point. One solution could be spreading awareness of free of charge and easy to use fact-checking tools such as Chrome web-browser extensions.

After all, given the prominence of the cyber space and overload of information today, making our democracies more stable with better software would not seem a farfetched idea anymore.

Sergey is a public affairs consultant in Brussels. Originally from Moldova, Serghei has experience in international organisations such as the United Nations and the OSCE with a specific focus on Eastern Europe. He also worked at the Hague Centre for Strategic Studies in the Netherlands.